Bugtraq mailing list archives

Re: Clarifying integer overflows vs. signedness errors

From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Sat, 25 Nov 2006 19:02:16 +0100 (CET)

On Tue, 21 Nov 2006, Steven M. Christey wrote:

I think of an integer overflow as being: "some computation (addition,
multiplication) would produce an integer value that is too large to be
stored in the actual memory location, so the integer wraps to some
other value."  (let's leave integer "underflow" out of this for the
moment).


The passing of a signed variable called "len" to an unsigned parameter of
copyout() is a (trivial) computation producing a value that does not fit
into the target type. Negative values "wrap around" and monotonicity
(length <= buffer size) is not preserved.

IMHO these two classes of problems grow from one common root.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Current thread:

Clarifying integer overflows vs. signedness errors Steven M. Christey (Nov 21)
- Re: Clarifying integer overflows vs. signedness errors Thiago Zaninotti (Nov 22)
- Re: Clarifying integer overflows vs. signedness errors Pavel Kankovsky (Nov 25)